Tag Archives: Human Rights

…do they turn so slowly that they’ll lead to the Lord Chancellor committing a criminal offence?

On 21 December last year, as we were all sweeping up the mince piece crumbs, removing our party hats and switching off the office lights for another year, the Information Commissioner’s Office (ICO) published, with no accompanying publicity whatsoever, an enforcement notice served on the Secretary of State for Justice. The notice drew attention to the fact that in July 2017 the Ministry of Justice (MoJ) had had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. And by November 2017 that had barely improved – to 793 cases dating back to 2014.

I intended to blog about this at the time, but it’s taken me around nine months to retrieve my chin from the floor, such was the force with which it dropped.

Because we should remember that the exercise of the right of subject access is a fundamental aspect of the fundamental right to protection of personal data. Requesting access to one’s data enables one to be aware of, and verify the lawfulness of, the processing. Don’t take my word for it – look at recital 41 of the-then applicable European data protection directive, and recital 63 of the now-applicable General Data Protection Regulation (GDPR).

And bear in mind that the nature of the MoJ’s work means it often receives subject access requests from prisoners, or others who are going through or have been through the criminal justice system. I imagine that a good many of these horrendously delayed requests were from people with a genuinely-held concern, or grievance, and not just from irritants like me who are interested in data controllers’ compliance.

The notice required MoJ to comply with all the outstanding requests by 31 October 2018. Now, you might raise an eyebrow at the fact that this gave the MoJ an extra eight months to respond to requests which were already incredibly late and which should have been responded to within forty days, but what’s an extra 284 days when things have slipped a little? (*Pseuds’ corner alert* It reminds me of Larkin’s line in The Whitsun Weddings about being so late that he feels: “all sense of being in a hurry gone”).

Maybe one reason the ICO gave MoJ so long to sort things out is that enforcement notices are serious things – a failure to comply is, after all, a criminal offence punishable on indictment by an unlimited fine. So one notes with interest a recent response to a freedom of information request for the regular updates which the notice also required MoJ to provide.

This reveals that by July this year MoJ had whittled down those 793 delayed cases to 285, with none dating back further than 2016. But I’m not going to start hanging out the bunting just yet, because a) more recent cases might well be more complex (because the issues behind them will be likely to be more current, and therefore potentially more complex, and b) because they don’t flaming well deserve any bunting because this was, and remains one of the most egregious and serious compliance failures it’s been my displeasure to have seen.

And what if they don’t clear them all by 31 October? The notice gives no leeway, no get-out – if any of those requests extant at November last year remains unanswered by November this year, the Right Honourable David Gauke MP (the current incumbent of the position of Secretary of State for Justice) will, it appears, have committed a criminal offence.

Will he be prosecuted?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

News emerges of a potential judicial review attempt to force disclosure of government Brexit papers not under FOI but under common law and human rights to information

More than three years ago the Supreme Court handed down judgment in a long-running piece of litigation under the Freedom of Information Act 2000 (FOIA). Journalist Dominic Kennedy had attempted to get disclosure from the Charity Commission of information relating to inquiries into George Galloway’s “Mariam Appeal”. The Commission said, in effect, that the absolute exemption to disclosure at section 32(2) of FOIA was the end of the story, while Kennedy argued that Article 10 of the European Convention on Human Rights imposed a positive obligation of disclosure on public authorities, particularly when the requester was a “public watchdog” like the press, and that s32(2) should be read down accordingly to require disclosure in the circumstances (I paraphrase). In his leading opinion Lord Mance gave this stirring introduction:

Information is the key to sound decision-making, to accountability and development; it underpins democracy and assists in combatting poverty, oppression, corruption, prejudice and inefficiency. Administrators, judges, arbitrators, and persons conducting inquiries and investigations depend upon it; likewise the press, NGOs and individuals concerned to report on issues of public interest. Unwillingness to disclose information may arise through habits of secrecy or reasons of self-protection. But information can be genuinely private, confidential or sensitive, and these interests merit respect in their own right and, in the case of those who depend on information to fulfil their functions, because this may not otherwise be forthcoming. These competing considerations, and the balance between them, lie behind the issues on this appeal.

What was most interesting about the judgment in Kennedy, and, again, I disrespectfully heavily paraphrase, was that the Supreme Court basically said (as it has been wont to do in recent years) – “why harp on about your rights at European law, don’t you realise that our dear old domestic friend the common law gives you similar rights?”

the route by which [Mr Kennedy] may, after an appropriate balancing exercise, be entitled to disclosure, is not under or by virtue of some process of remodelling of section 32, but is under the Charities Act construed in the light of common law principles and/or in the light of article 10 of the Human Rights Convention, if and so far as that article may be engaged

This greatly excited those in the information rights field at the time, but since then, there has been little of prominence to advance the proposition that FOIA rights are not the only route [Ed. there’s a great/awful pun in there somewhere] but it did get a positive airing in R (Privacy International) v HMRC [2014] EWHC 1475 (Admin) (on which see Panopticon post here).

Yesterday (12 October) barrister Jolyon Maugham announced that his Good Law Project was seeking donors towards a judicial review application if the government refused to publish information and reports comparing the predicted economic harm of Brexit with the predicted economic benefits of alternative free trade agreements. Keen followers of information rights litigation will note that Tim Pitt-Payne and Robin Hopkins are instructed: the potential respondents should quake in their boots.

Well worth watching this, and well worth – in my opinion – donating towards the cause.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The government minister with responsibility for data protection, Matt Hancock, recently spoke to the Leverhulme Centre. He touched on data protection:

a new Data Protection Bill in this Parliamentary Session…will bring the laws up to date for the modern age, introduce new safeguards for citizens, stronger penalties for infringement, and important new features like the right to be forgotten. It will bring the EU’s GDPR and Law Enforcement Directive into UK law, ensuring we are prepared for Brexit.

All pretty standard stuff (let’s ignore the point that the “right to be forgotten” such as it is, exists under existing law – a big clue to this being that the landmark case was heard by the CJEU in 2014). But Hancock went on to cite with approval some recent words of the Information Commissioner, Elizabeth Denham:

I think the ICO’s proposal of a data regulatory “sandbox” approach is very impressive and forward looking. It works in financial regulation and I look forward to seeing it in action here.

This refers to Denham’s recent speech on “Promoting privacy with innovation within the law”, in which she said

We are…looking at how we might be able to engage more deeply with companies as they seek to implement privacy by design…How we can contribute to a “safe space” by building a sandbox where companies can test their ideas, services and business models. How we can better recognise the circular rather than linear nature of the design process.

I thought this was interesting – “sandbox regulation” in the financial services sector involves an application to the Financial Conduct Authority (FCA), for the testing of “innovative” products that don’t necessarily fit into existing regulatory frameworks – the FCA will even where necessary waive rules, and undertake not to take enforcement action.

That this model works for financial services does not, though, necessarily mean it would work when it comes to regulation of laws, such as data protection laws, which give effect to fundamental rights. When I made enquiries to the Information Commissioner’s Office (ICO) for further guidance on what Denham intends, I was told that they “don’t have anything to add to what [she’s] already said about engaging with companies to help implement privacy by design”.

The recent lack of enforcement action by the ICO against the Royal Free NHS Trust regarding its deal with Google Deepmind raised eyebrows in some circles: if the unlawful processing of 1.6 million health records (by their nature sensitive personal data) doesn’t merit formal enforcement, then does anything?

Was that a form of “sandbox regulation”? Presumably not, as it doesn’t appear that the ICO was aware of the arrangement prior to it taking place, but if, as it seems to me, such regulation may involve a light-touch approach where innovation is involved, I really hope that the views and wishes of data subjects are not ignored. If organisations are going to play in the sand with our personal data, we should at the very least know about it.

**EDIT: I have had my attention drawn to references to “sandpits” in the Annual Report of the Deepmind Health Independent Review Panel:

We think it would be helpful if there was a space, similar to the ‘sandpits’ established by the Research Councils, which would allow regulators, the Department of Health and tech providers to discuss these issues at an early stage of product development. The protection of data during testing is an issue that should be discussed in a similar collaborative forum. We believe that there must be a mechanism that allows effective testing without compromising confidential patient information.

It would seem a bit of a coincidence that this report should be published around the same time Denham and Hancock were making their speeches – and I would argue that this only bolsters the case for more transparency from the ICO about how this type of collaborative regulation will take place.

And I notice that the Review Panel say nothing about involving data subjects in “product development”. Until “innovators” understand that data subjects are the key stakeholder in this, I don’t hold out much hope for the proper protection of rights.**

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The politics.co.uk site reports that an anti-EU umbrella campaign called Leave.EU (or is it theknow.eu?) has been written to by the Information Commissioner’s Office (ICO) after allegedly sending unsolicited emails to people who appear to have been “signed up” by friends or family. The campaign’s bank-roller, UKIP donor Aaron Banks, reportedly said

We have 70,000 people registered and people have been asked to supply 10 emails of friends or family to build out (sic) database

Emails sent to those signed up in this way are highly likely to have been sent in breach of the campaign’s obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and the ICO is reported to have to written to the campaign to

inform them of their obligations under the PECR and to ask them to suppress [the recipient’s] email address from their databases

But is this really the main concern here? Or, rather, should we (and the ICO) be asking what on earth is a political campaign doing building a huge database of people, and identifying them as (potential) supporters without their knowledge? Such concerns go to the very heart of modern privacy and data protection law.

Data protection law’s genesis lie, in part, in the desire, post-war, of European nations to ensure “a foundation of justice and peace in the world”, as the preamble to the European Convention on Human Rights states. The first recital to the European Community Data Protection Directive of 1995 makes clear that the importance of those fundamental rights to data protection law.

The Directive is, of course, given domestic effect by the Data Protection Act 1998 (DPA). Section 2 of the same states that information as to someone’s political beliefs is her personal data: I would submit that presence on a database purporting to show that someone supports the UK”s withdrawal from the European Union is also her personal data. Placing someone on that database, without her knowledge or ability to object, will be manifestly “unfair” when it comes to compliance with the first data protection principle. It may also be inaccurate, when it comes to compliance with the fourth principle.

I would urge the ICO to look much more closely at this – the compiling of (query inaccurate) of secret databases of people’s political opinions has very scary antecedents.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

Around this time last year I wrote two blogposts about two separate police forces’ decision to tweet the names of drivers charged (but not – yet, at least – convicted) of drink driving offences. In the latter example Staffordshire police were actually using a hashtag #drinkdriversnamedontwitter, and I argued that

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against

The Information Commissioner’s Office investigated whether there had been a breach of the first principle of Schedule One of the Data Protection Act 1998 (DPA), which requires that processing of personal data be “fair and lawful”, but decided to take no action after Staffs police agreed not to use the hashtag again, saying

Our concern was that naming people who have only been charged alongside the label ‘drink-driver’ strongly implies a presumption of guilt for the offence. We have received reassurances from Staffordshire Police the hashtag will no longer be used in this way and are happy with the procedures they have in place. As a result, we will be taking no further action.

But my first blog post had raised questions about whether the mere naming of those charged was in accordance with the same DPA principle. Newspaper articles talked of naming and “shaming”, but where is the shame in being charged with an offence? I wondered why Sussex police didn’t correct those newspapers who attributed the phrase to them.

And this year, Sussex police, as well as neighbouring Surrey, and Somerset and Avon are doing the same thing: naming drivers charged with drink driving offences on twitter or elsewhere online. The media happily describe this as a “naming and shaming” tactic, and I have not seen the police disabusing them, although Sussex police did at least enter into a dialogue with me and others on twitter, in which they assured us that their actions were in pursuit of open justice, and that they were not intending to shame people. However, this doesn’t appear to tally with the understanding of the Sussex Police and Crime Commissioner who said earlier this year

I am keen to find out if the naming and shaming tactic that Sussex Police has adopted is actually working

But I also continue to question whether the practice is in accordance with police forces’ obligations under the DPA. Information relating to the commission or alleged commission by a person of an offence is that person’s sensitive personal data, and for processing to be fair and lawful a condition in both of Schedule Two and, particularly, Schedule Three must be met. And I struggle to see which Schedule Three condition applies – the closest is probably

The processing is necessary…for the administration of justice

But “necessary”, in the DPA, imports a proportionality test of the kind required by human rights jurisprudence. The High Court, in the MPs’ expenses case cited the European Court of Human Rights, in The Sunday Times v United Kingdom(1979) 2 EHRR 245 to the effect that

while the adjective “necessary”, within the meaning of article 10(2) [of the European Convention on Human Rights] is not synonymous with “indispensable”, neither has it the flexibility of such expressions as “admissible”, “ordinary”, “useful”, “reasonable” or “desirable” and that it implies the existence of a “pressing social need.”

and went on to hold, therefore that “necessary” in the DPA

should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

So is there a pressing social need to interfere with the rights of people charged with (and not convicted of) an offence, in circumstances where the media and others portray the charge as a source of shame? Is it proportionate and fairly balanced to do so? One consideration might be whether the same police forces name all people charged with an offence. If the intent is to promote open justice, then it is difficult to see why one charging decision should merit online naming, and others not.But is the intent really to promote open justice? Or is it to dissuade others from drink-driving? Supt Richard Corrigan of Avon and Somerset police says

This is another tool in our campaign to stop people driving while under the influence of drink or drugs. If just one person is persuaded not to take to the road as a result, then it is worthwhile as far as we are concerned.

and Sussex police’s Chief Inspector Natalie Moloney says

I hope identifying all those who are to appear in court because of drink or drug driving will act as a deterrent and make Sussex safer for all road users

which firstly fails to use the word “alleged” before “drink or drug driving”, and secondly – as Supt Corrigan – suggests the purpose of naming is not to promote open justice, but rather to deter drink drivers.

Deterring drink driving is certainly a worthy public aim (and I stress that I have no sympathy whatsoever with those convicted of such offences) but should the sensitive personal data of who have not been convicted of any offence be used to their detriment in pursuance of that aim?

I worry that unless such naming practices are scrutinised, and challenged when they are unlawful and unfair, the practice will spread, and social “shame” will be encouraged to be visited on the innocent. I hope the Information Commissioner investigates.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

(I hope he remembers to renew the registration when it expires next week it’s a criminal offence to process personal data as a data controller without a registration, unless you have an exemption).

But, more directly, he is a data controller because as an MP he is a person who determines the purposes for which and the manner in which the personal data of his constituents is processed. Sensible guidance for MPs is provided by Parliament itself

A Member is the data controller for all personal data that is handled by their office and they have overall responsibility for ensuring that this is done in accordance with the DPA.

As a data controller an MP must process constituents’ personal data in accordance with the eight data protection principles of the Data Protection Act 1998 (DPA). Failure to do so is a contravention of the data controller’s obligation under section 4(4). Data subjects can bring legal claims for compensation for contravention of that obligation, and for serious contraventions the ICO can take enforcement action, including the serving of monetary penalty notices to a maximum of £500,000.

The second data protection principle requires that

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

A person’s political opinions are “sensitive personal data”, afforded even greater protection under the DPA. It is not difficult to understand the historical basis for this, nor, indeed, the current basis for its still being so. Data protection law is in part an expression of and development of rights which were recognised by the drafters of the Universal Declaration of Human Rights and European Convention on Human Rights. Oppression of people on the basis of their politics was and remains distressingly common.

If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate. As Paul Bernal tweeted

If I gave my data to help the Tories and found it was being used to help UKIP I’d be livid

Such use would also potentially be in breach of the first data protection principle, which requires that personal data be processed fairly and lawfully. It would not be fair to share data with a political party or for the purposes of furthering its aim in circumstances where the data subject was not aware of this, and might very reasonably object. And it would not be lawful if the data were, for instance, disclosed to UKIP in breach of confidence.

An interesting twitter discussion took place this morning about whether this apparent use of constituents’ data might even engage the criminal law provisions of the DPA. As well as Carswell, there may be other data controllers involved: if some of the data he was in possession of was for instance, being processed by him on behalf of, say, the Conservative Party itself, then the latter would be data controller. Section 55 of the DPA creates, in terms, an offence of unlawfully disclosing personal data without the consent of the data controller. However, as was agreed on twitter, this would be a complex knot to unpick, and it is unlikely, to say the least, that either the ICO or the CPS would want to pursue the matter.

Notwithstanding this, there are serious questions to be asked about the DPA implications of any MP crossing the floor. The use of personal data is likely to be a key battleground in the forthcoming general election, and throw even sharper focus on European data protection reform. I would argue that this is a subject which the ICO needs to get a grip on, and quickly.

UPDATE: Paul Bernal has written a superb piece on the broader ethical issues engaged here.

For anyone who has been in the wilderness for the last few weeks, in Google Spain the CJEU ruled that Google Spain, as a subsidiary of Google inc. operating on Spanish territory, was covered by the obligations of the European Data Protection Directive 95/46/EC, that it was operating as an entity that processed personal data in the capacity of a data controller, and that it was accordingly required to consider applications from data subjects for removal of search returns. Thus, what is loosely called a “right to be forgotten” is seen already to exist in the current data protection regime.

Many have written on this landmark CJEU ruling (I commend in particular Dr David Erdos’s take, on the UK Constitutional Law Blog) and I am not here going to go into any great detail, but what I did take issue with in the Cavoukian and Wolf piece was the figurative comparison of Google with a public library:

A man walks into a library. He asks to see the librarian. He tells the librarian there is a book on the shelves of the library that contains truthful, historical information about his past conduct, but he says he is a changed man now and the book is no longer relevant. He insists that any reference in the library’s card catalog and electronic indexing system associating him with the book be removed, or he will go to the authorities…

…The government agent threatens to fine or jail the librarian if he does not comply with the man’s request to remove the reference to the unflattering book in the library’s indexing system.

Is this a scenario out of George Orwell’s Nineteen Eighty-Four? No, this is the logical extension of a recent ruling from Europe’s highest court

(I pause briefly to say that if I never see another reference to Orwell in the context of privacy debate I will die a happy man).

I’m fond of analogies but Cavoukian’s and Wolf’s one (or maybe it’s a metaphor?) is facile. I think it could more accurately say

A man walks into a library. He sees that, once again, the library has chosen, because of how it organises its profit-making activities, to give great prominence to a book which contains information about his past conduct, which is no longer relevant, and which it is unfair to highlight. He asks them to give less prominence to it.

Cavoukian and Wolf accept that there should be a right to remove “illegal defamatory” content if someone posts it online, but feel that the issue of links to “unflattering, but accurate” information should be explored using “other solutions”. (I pause again to note that “unflattering” is an odd and loaded word to use here: Mr Gonzalez, in the Google Spain case, was concerned about out-of-date information about bankruptcy, and other people who might want to exercise a right to removal of links might be concerned by much worse than “unflattering” information).

I don’t disagree that other solutions should be explored to the issue of the persistence or reemergence of old information which data subjects reasonably no longer wish to be known, but people are entitled to use the laws which exist to pursue their aims, and the application by the CJEU of data protection law to the issues pleaded was, to an extent, uncontroversial (is Google a data controller? if it is, what are its obligations to respect a request to desist from processing?)

Cavoukian and Wolf criticise the CJEU for failing to provide sufficient instruction on how “the right to be forgotten” should be applied, and for failing to consider whether “online actors other than search engines have a duty to ‘scrub’ the Internet of unflattering yet truthful facts”, but a court can only consider the issues pleaded before it, and these weren’t. Where I do agree with them is in their criticism of the apparent failure by the CJEU, when giving effect to the privacy rights in Article 8 of the European Convention on Human Rights, and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, to consider adequately, if at all, the countervailing rights to freedom of expression in Article 10 of the former and Article 11 of the latter. In this respect, the prior Opinion of the Advocate General was perhaps to be preferred.

The key word in my replacement library ananolgy above is “chosen”. Google is not a passive and inert indexing system. Rather, it is a dynamic and commercially-driven system which uses complex algorithms to determine which results appear against which search terms. It already exercises editorial control over results, and will remove some which it is satisfied are clearly unlawful or which constitute civil wrongs such as breach of copyright. Is it so wrong that (if it gives appropriate weight to the (sometimes) competing considerations of privacy and freedom of expression) it should be required to consider a request to remove unfair and outdated private information?

In an interesting recent case (AB v A Chief Constable[2014] EWHC 1965 (QB)) the High Court determined that, on the very specific facts, it would not be fair, in terms of DPP1, and common law legitimate expectation, for a Chief Constable to send a second, non-standard, reference to the new employer of a senior police officer who was subject to disciplinary investigation. (The judgment merits close reading – this was by no means a statement of general principle about police references). The reason it would not be fair was because the officer in question had tendered his resignation upon the sending of the initial, anodyne, reference, and the force had terminated misconduct proceedings:

He was thus in the position that for the Force to send the second reference would most likely leave him without employment and without the opportunity to refute the gross misconduct allegations. In these special circumstances it would be a breach of the Data Protection Act 1998 and undermine his legitimate expectations for the second reference to be sent [¶94]

Something in particular struck me about the judge’s analysis of DPP1, although, given the outcome, it was not determinative. He rejected a submission from the claimant officer that the duty of fairness in the DPP1 and the European Data Protection Directive was a duty to be fair primarily to the data subject. Rather, correctly identifying that the privacy rights in the Directive and the DPA are grounded in article 8 of the European Convention on Human Rights and in general principles of EU law, he held that

The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure [¶75]

I am not sure this is right. Recital 28 of the Directive says

Whereas any processing of personal data must be lawful and fair to the individuals concerned [emphasis added]

and recital 38 suggests that whether processing is “fair” is in large part dependent on whether the data subject is made aware of the processing and the circumstances under which it takes place. These recitals give way to the descriptions in Articles 10 and 11 which both talk about “fair processing in respect of the data subject” (again, emphasis added). Similarly Part II of Schedule One to the DPA provides interpretation to DPP1, and says that in determining whether personal data are processed fairly

regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed

Admittedly this introduces “any person”, which could be someone other than the data subject, but more general considerations of public interest are absent. It is also notable that the Information Commissioner’s position in guidance seems predicated solely on the belief that it is the data subject’s interests that are engaged in an analysis of “fairness”, although the guidance does conceded that processing might cause some detriment to the individual without it being unfair, but I do not think this is the same as taking into account public interest in disclosure.

To the extent that a public interest test does manifest itself in DPP1, it is normally held to be in the conditions in Schedules 2 and 3. DPPP1 says that, in addition to the obligation to process personal data fairly and lawfully, a condition in Schedule 2 (and, for sensitive personal data, Schedule 3) must be met. Many of these conditions contain tests as to whether the processing is “necessary”, and that “necessity test” constitutes a proportionality test, as described by Latham LJ in Corporate Officer of the House of Commons v The Information Commissioner & Ors [2008] EWHC 1084 (Admin)

‘necessary’…should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends

To import a public interest test into the word “fairly” in DPP1 seems to me to be a potentially radical step, especially when disclosures of personal data under the Freedom of Information Act 2000 (FOIA) are being considered. As I say – I doubt that this is correct, but I would welcome any contrary (or concurring) opinions.

(By the way, I at first thought there was a more fundamental error in the judgment: the judge found that a rule of law was engaged which ordinarily would have required the Chief Constable to send the second reference:

the public law duty of honesty and integrity would ordinarily have demanded that the Chief Constable send the Regulatory Body something more than the anodyne reference about the claimant [¶93]

If a rule of law necessitates disclosure of personal data, then the exemption at section 35 DPA removes the requirement to process that data fairly and lawfully. However, I think the answer lies in the use of the word “ordinarily”: in this instance the doctrine of legitimate expectation (which the claimant could rely upon) meant that the public law duty to send the second reference didn’t apply. So section 35 DPA wasn’t engaged.)

Whether, or in what circumstances, compensation may be awarded to a claimant who shows a contravention by a data controller of any of the requirements of the Data Protection Act 1998 (DPA), is a much-debated issue. It is also, occasionally, litigated. One key aspect is when compensation for distress might be awarded.

Section 13 of the DPA provides, so far as is relevant here, that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

The general interpretation of this has been that compensation for distress, in the absence of pecuniary damage, is not available. The leading case on this is Johnson v The Medical Defence Union Ltd (2)[2006] EWHC 321 and on appeal Johnson v Medical Defence Union[2007] EWCA Civ 262, with Buxton LJ saying in the latter

section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered

However in allowing an appeal in Murray v Big Pictures (UK) Ltd[2008] EWCA Civ 446, and directing that the case go to trial, the Court of Appeal was prepared to consider a different view

It seems to us to be at least arguable that the judge [in the first instance] has construed ‘damage’ too narrowly, having regard to the fact that the purpose of the Act was to enact the provisions of the relevant Directive

But that case was ultimately settled before trial, and the issue left undecided.

Clearly, the decision in Johnson is potentially controversial, especially in cases (of which Johnson was not one) where the UK’s obligations under the European Data Protection Directive, and data subjects’ associated rights under the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union, are taken into account. This much was recognised by Tugendhat J, in giving permisssion to the applicants in Vidal -Hall & Ors v Google Inc [2014] EWHC 13 (QB) to serve on Google Inc out of jurisdiction. He noted (¶83-104) academic statements on the issue, as well as the European Commission’s view that the UK DPA wrongly restricts “[t]he right to compensation for moral damage when personal information is used inappropriately”, and said

This is a controversial question of law in a developing area, and it is desirable that the facts should be found. It would therefore be the better course in the present case that I should not decide this question on this application.

I shall therefore not decide it. However, in case it is of any assistance in the future, my preliminary view of the question is that Mr Tomlinson’s submissions are to be preferred, and so that damage in s.13 does include non-pecuniary damage

This is a fascinating point, and detailed judicial consideration of it would be welcomed (it may also be at issue in the impending case of Steinmetz v Global Witness Ltd) but, in the meantime, a question exists as to whether nominal pecuniary damage opens the door to awards for distress. In Johnson, the cost of a £10.50 breakfast had opened the door, but this was actual (if minor) damage. Last year, the Court of Appeal avoided having to decide the issue when the defendant conceded the point in Halliday v Creation Consumer Finance Ltd (CCF)[2013] EWCA Civ 333 (about which I blogged last year). However, in a very recent judgment, AB v Ministry of Justice[2014] EWHC 1847 (QB), which takes some wading through, Mr Justice Baker does appear to have proceeded on the basis that nominal damages do give rise to distress compensation.

The case involves an (anonymous) partner in a firm of solicitors who, as a result of events involving the coroner following his wife’s tragic death, made a series of subject access requests (under the provisions of section 7 DPA). The Ministry of Justice (MoJ) did not, it seems, necessarily handle these well, nor in accordance with their obligations under the DPA, and when it came to remedying these contraventions (which consisted of delayed responses) the judge awarded nominal damages of £1.00, before moving on to award £2250 for distress caused by the delays.

What is not clear from the judgment is to what extent the judge considered the MoJ’s submission that compensation for distress was only available if an individual has also suffered damage. The answer may lie in the fact that, although he awarded nominal damages, the judge accepted that AB had suffered (actual) damage but had “not sought to quantify his time or expense”. Query, therefore, whether this is a case of purely nominal damage.

One hopes that Vidal-Hall and Global Witness give the occasions to determine these matters. One notes, however, the vigour with which both cases are being litigated by the parties: it may be some time before the issue is settled once and for all.